Open yaourabi opened 5 months ago
I have a Gradle multi-project build, in which i generate an SBOM for java dependencies for each project using the CycloneDX Gradle plugin. I want to merge all the existing SBOMs, however the resulting SBOM doesn’t get rid of duplicated dependencies.
dependencies { implementation("org.apache.commons:commons-lang3:3.12.0") }
dependencies { implementation("org.apache.commons:commons-lang3:3.12.0") implementation("com.fasterxml.jackson.core:jackson-databind:2.15.3") }
tasks.cyclonedxBom { setProjectType("application") setSchemaVersion("1.5") setDestination(project.file("build/reports")) setOutputName("bom2") setOutputFormat("json") setIncludeBomSerialNumber(false) setIncludeLicenseText(true) setComponentVersion("2.0.0") }
merge
CycloneDX cli version: 0.25.0 0.25.0
0.25.0
CycloneDX Gradle plugin version: 1.7.4
1.7.4
although the commons-lang3 dependency is defined in both projects, I only want it to be declared in the final SBOM once.
the current SBOM declares the commons-lang3 dependency twice.
"dependencies": [ { "ref": "pkg:maven/org.apache.commons/commons-lang3@3.12.0?type=jar", "dependsOn": [] }, { "ref": "pkg:maven/org.example/app1@1.0-SNAPSHOT?type=jar", "dependsOn": [ "pkg:maven/org.apache.commons/commons-lang3@3.12.0?type=jar" ] }, { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.3?type=jar", "dependsOn": [] }, { "ref": "pkg:maven/org.apache.commons/commons-lang3@3.12.0?type=jar", "dependsOn": [] }, { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.3?type=jar", "dependsOn": [ "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.15.3?type=jar", "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.3?type=jar" ] }, { "ref": "pkg:maven/org.example/app2@1.0-SNAPSHOT?type=jar", "dependsOn": [ "pkg:maven/org.apache.commons/commons-lang3@3.12.0?type=jar", "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.3?type=jar" ] }, { "ref": "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.15.3?type=jar", "dependsOn": [] } ]
+1
+1. This blows up count of both components and vulnerabilities in dependency-track. Use-case is following:
+1 Some --deduplicate option would be very useful 👍
--deduplicate
I have a Gradle multi-project build, in which i generate an SBOM for java dependencies for each project using the CycloneDX Gradle plugin. I want to merge all the existing SBOMs, however the resulting SBOM doesn’t get rid of duplicated dependencies.
Steps to reproduce
dependencies for the first project
dependencies for the second project
merge
command to merge the two SBOMsCycloneDX cli version: 0.25.0
0.25.0
CycloneDX Gradle plugin version:
1.7.4
Expected behavior
although the commons-lang3 dependency is defined in both projects, I only want it to be declared in the final SBOM once.
Current behavior
the current SBOM declares the commons-lang3 dependency twice.